March 17, 1997 1:30 PM ET

Usenet newsgroups hacked; ISP security compromised
By Maria Seminerio

  Thousands of servers may have been affected by attacks on Usenet this weekend and this morning that exploited a bug in InterNetNews software, enabling hackers to execute malicious commands even behind corporate firewalls.

The Computer Emergency Response Team posted fixes for the bug, which affects versions of INN up to 1.5, after being alerted to the problem by a Massachusetts Institute of Technology engineer.

Matt Power, a post-doctoral associate in computer science at MIT, in Cambridge, Mass., said the attack was the most significant Usenet security breach since the 1988 "Morris Internet worm" attack.

"It's rare to hear of a successful attempt to automate the penetration of probably thousands of servers throughout the Internet," Power said.

The attack began Saturday when someone posted four control messages in an attempt to gather password file and other configuration information from Usenet news sites by exploiting the INN bug, which was previously reported in a Feb. 20 CERT advisory, he said.

Fixes for the bug also were provided to CERT by an Internet Software Consortium programmer, James Brister, CERT officials said.

The bug enables control messages to be sent via UCB Mail without armoring tilde characters that begin lines, providing a window for malicious code to slip through firewalls.

The glitch also allows unauthorized access to news servers, Power added.

"You could become a valid user of a news server as a consequence of just sending a message," he said.

Smaller Internet service providers are particularly vulnerable, since they might locate all their data on a single computer, Power said.

This weekend's attack differs from previous instances of hacking on Usenet in that it appears to be indiscriminate--every Usenet news server using the INN software was affected.

CERT recommends that all sites using INN update to Version 1.5.1 and apply a patch that is posted at ftp://ftp.cert.org/pub/cert_advisories/CA-97.08.

So far, the hackers have not been identified, according to CERT.

Copyright(c) 1997 Ziff-Davis Publishing Company. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff-Davis Publishing Company is prohibited. PC Week and the PC Week logo are trademarks of Ziff-Davis Publishing Company. PC Week Online and the PC Week Online logo are trademarks of Ziff-Davis Publishing Company.

Send mail to PC Week